On Wednesday, Oct. 6, live streaming service Twitch confirmed a data breach including source code, confidential payout information, security tools and competitor insight. While there was no official confirmation of leaked passwords, all users were recommended to change their passwords and turn on two-factor authorization. This leak is the largest confirmed attack against Amazon’s live video streaming service since March 2015.
Senior cybersecurity risk analyst at Johnson & Johnson and NJIT alumnus (B.S. Information Technology, 2017) Orion Wilchinsky believes this breach will have significant and lasting effects on the platform. “It’s hard to see this as anything other than Twitch being caught with their pants down,” Wilchinksy remarked. While the leaked data includes source code, payout information and even competitor insights, a potentially damning piece is more worrisome: Twitch’s red team tools. Companies often hire red teams, or ethical hackers, to test their defenses and expose vulnerabilities that could be used to infiltrate their system. “Red team tools are usually created on the fly during penetration tests,” Wilchinsky added. “That means that they are custom made to defeat Twitch’s systems. This is very dangerous in the wrong hands … It’s essentially a script kiddie’s skeleton key.”
In a best-case scenario, the tools are outdated, but they still might pose a significant threat for Twitch. These tools could include ways of social engineering and phishing that have proven to be successful in the past. However, if the tools are recent, potential hackers have the blueprints and training manuals to overcome Twitch’s defenses. Regardless of the age of the tools, Twitch will have to redesign its defenses or risk future leaks from users upset at the platform.
The anonymous hacker that leaked the data describes Twitch as a “toxic cesspool” and claims their motive was to “foster more disruption and competition in the online video streaming space,” according to their post on the controversial anonymous imageboard 4chan. The data was initially leaked online as a 128GB file shared through this platform.
Twitch has faced its share of criticism over the years. A rise in hate speech and bullying has led the platform to take a stronger approach to such content, threatening suspension for any user found in violation as of 2018. Updating their rules without strict enforcement led to malicious users “hate raiding” streamers in mid-2021. Hate raiding abused Twitch’s popular “raid” feature, which directs all viewers on a channel’s page to flood that of another user. In the case of hate raiding, the raiders use the feature to bully their victims and largely targeted Black and LGBTQ+ streamers.
NJIT sophomore and Twitch streamer choosing to stay anonymous says that while they are lucky to not be raided, they have had firsthand experience with the fallout. “I moderate a stream for a friend that had a hate raid,” they said. “I had to delete messages and ban accounts from that stream.” At the same time, users began calling for increased security when a vulnerability was discovered that allowed for users to log the IP addresses of their viewers. The combination of unaddressed hate raiding and dangerous vulnerabilities led to a global boycott of the company in early September, with the hashtag #ADayOffTwitch.
“I don’t feel like [Twitch is] a company that is worth for beginn[er] streamers,” said Andrew Suarez, a senior majoring in information technology with a specialization in criminal justice. He has been streaming games such as osu! on and off for the past nine years on Twitch @aquiii, where he currently has 666 followers. “Its platform basically relies on luck over actual content and visibility. Most people who are successful either have transferred over from YouTube, have been there since the start and consistently continued, or are really lucky/skilled at the game they streamed. Their platform does not help those who want to grow in my opinion, and their affiliate program really is a joke.”
Despite the critique, one of the allures of Twitch is the promise of monetization for successful streamers. However, the leak revealed that about 67% of all Twitch Affiliates, streamers qualified to monetize their channels, have yet to pass the $100 payout threshold since 2019. The data also indicates glaring racial and gender pay inequity among the streamers who do earn on the platform. The top 20 earners (based on direct Twitch payouts, as opposed to also including sponsors and donations) are mainly white men who do not identify as part of the LGBTQ+ community.
“I have hopes, much like the hacker who did the leak, that all of this data will be used to fix Twitch as well as create competitors,” said Dale Schofield, Vice President of NJIT Esports and a senior majoring in information technology with a specialization in game development. Schofield can be found on Twitch @ilikepiez5642, where he streams modded Minecraft. “The source code leak is the most surprising yet promising because it’ll hopefully be used to create competitors or improve existing services. Hopefully this will increase competition and drive innovation, but time will tell.”
Like Schofield, many users are hopeful that the breach is only a small setback and can be used by the company to grow and embrace the changes that the community has asked for. Some of the leaked data points to Twitch actively beginning to implement technologies such as viewbots, which are designed to detect when streamers are fraudulently inflating their view count.
Though Twitch denies that passwords were leaked, it released a statement announcing that they have reset stream keys. Private users have reported receiving emails from Twitch stating to reset their passwords.
“Personally, I wasn’t impacted by this breach,” said Schofield. “I have two-factor authentication set up and recommend it for everyone on any and every service that offers it.” In the wake of this data breach, the need for Cybersecurity Awareness Month is emphasized. Don’t forget to configure two-factor authentication and update your passwords!